If Not Session("loginpassed") Then
Response.Redirect "login.asp"
End If
[web] ASP: Session gets lost randomly
Author
I’m having a real frustrating problem with sessions.
I have a login page that assigns a login name and password to a session variable if they match up (the session variable gets set to True). I can login and it all works fine, except sometimes a page will lose the session variable it seems and ask me to log back in. If I go back a page and try to get to that screen again without logging in again (I should already be logged in from before) it suddenly finds the session variable and works as normal.
It seems like some pages never have this problem, and others I have to keep hitting back and clicking the link again and again until it finally finds the session variable. Very annoying. The top of each page contains -
Consider setting the session timeout to a higher value, it may be that. Does it always happen or are you leaving it alone for a while?
How good is your internet connection?
Whenever the internet connection is lost here (even resetting the hub borks it) so are all the sessions, meaning that we have to log in again.
One solution would be to have an automatic login (using cookies) so that if you were logged out it would try to recover itself using the stored cookies, and if not then redirect to the login page.
Whenever the internet connection is lost here (even resetting the hub borks it) so are all the sessions, meaning that we have to log in again.
One solution would be to have an automatic login (using cookies) so that if you were logged out it would try to recover itself using the stored cookies, and if not then redirect to the login page.
Possible causes of this are:
1. Host name inconsistency - not all of your users are using the same host name to access your site (beware, site aliases ARE signficant), and some of your pages are using absolute URLs.
This causes cookies to be lost because they are specific to the *exact* host name used, i.e. www.gamedev.net cookies won't be sent to gamedev.net
2. IIS falling over / crashing
In ASP, session variables are stored entirely in memory. If the ASP app server needs to restart for any reason (planned or unplanned), they are deleted. This can be caused by:
- Modifying global.asa
- Some types of change to the IIS configuration
- IIS crashing or halting as a result of some internal error (usually a dodgy DLL component, for example COM server DLL or ODBC driver) - but can also be caused by attacks on vulnerable components by worms, for example (if this is the case, your machine is probably compromised)
- Someone manually restarting IIS (for example with the iisreset command, or service control manager)
- A reboot
3. Session timing out or being abandoned
The session timeout can be changed in the IIS manager, or overridden on a per session basis in the ASP code. A common place to set this is in global.asa session_onstart or in your login page (for example, use a short session timeout for anonymous users and a longer one for logged in people)
Beware that having too many sessions will use up loads of memory.
Under no circumstances place nontrivial objects in the session variable - only strings, integers etc should be used (No ADO objects etc)
If there are too many sessions, I'm not sure what IIS does.
Session.Abandon() is a function which will explicitly throw a session away (I think it actually survives until the end of page execution and is then removed)
Mark
1. Host name inconsistency - not all of your users are using the same host name to access your site (beware, site aliases ARE signficant), and some of your pages are using absolute URLs.
This causes cookies to be lost because they are specific to the *exact* host name used, i.e. www.gamedev.net cookies won't be sent to gamedev.net
2. IIS falling over / crashing
In ASP, session variables are stored entirely in memory. If the ASP app server needs to restart for any reason (planned or unplanned), they are deleted. This can be caused by:
- Modifying global.asa
- Some types of change to the IIS configuration
- IIS crashing or halting as a result of some internal error (usually a dodgy DLL component, for example COM server DLL or ODBC driver) - but can also be caused by attacks on vulnerable components by worms, for example (if this is the case, your machine is probably compromised)
- Someone manually restarting IIS (for example with the iisreset command, or service control manager)
- A reboot
3. Session timing out or being abandoned
The session timeout can be changed in the IIS manager, or overridden on a per session basis in the ASP code. A common place to set this is in global.asa session_onstart or in your login page (for example, use a short session timeout for anonymous users and a longer one for logged in people)
Beware that having too many sessions will use up loads of memory.
Under no circumstances place nontrivial objects in the session variable - only strings, integers etc should be used (No ADO objects etc)
If there are too many sessions, I'm not sure what IIS does.
Session.Abandon() is a function which will explicitly throw a session away (I think it actually survives until the end of page execution and is then removed)
Mark
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
